# Auth0 Logs ## Overview Panther ingests Auth0 tenant logs by configuring [Auth0's log streaming service](https://auth0.com/docs/customize/log-streams) to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http). ## How to onboard Auth0 logs to Panther ### Step 1: Create a new Auth0 source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Auth0,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\ ![The Auth0 log source setup page is shown, in the Panther Console. In the upper-right corner, the Transport Mechanism dropdown has a value of "HTTP," and to its right is a Start Setup button. Both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-0d6b21fee1726ba875973ff39eb2f5aa758dba44%2FScreenshot%202023-06-07%20at%204.35.28%20PM.png?alt=media) 5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5. * During setup, on the security configuration page, you will be required to use [bearer authentication](https://docs.panther.com/data-transports/http#bearer); this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own. ![A section titled "Bearer Authentication" is shown. To the right of a "Bearer Token Value" field there is a button with two arrows arranged in a circle, and this button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-11e00f12cdb0213d36a3b07584633f413a3cacaf%2Fimage.png?alt=media) * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Create a new Log Stream in Auth0 1. Log in to your Auth0 tenant. 2. From the dashboard, navigate to **Monitoring** > **Streams**. 3. Click **Create Stream**. 4. Select **Custom Webhook**. 5. Give your Event Stream a descriptive name, e.g., `Panther Log Stream`. 6. In the **Payload URL** field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process. 7. In the **Authorization Token** field, enter the bearer token you used in [Step 1](#step-1-create-a-new-auth0-source-in-panther), being sure to include `Bearer` . The complete format should be `Bearer `. 8. Click **Save**. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Auth0 in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/auth0_rules). ## Supported log types ### Auth0.Events Auth0.Events are event logs from the Auth0 log stream. For more information, see [Auth0's documentation on tenant log events](https://auth0.com/docs/deploy-monitor/logs). ````yaml ```yaml schema: Auth0.Events description: Event logs from Auth0 Log Stream referenceURL: https://auth0.com/docs/deploy-monitor/logs fields: - name: log_id required: true description: The ID of the log. type: string - name: asdfg type: array validate: allow: ['authentication'] element: type: string - name: data required: true description: The data object containing information about the log. type: object fields: - name: date description: Date/Time when the event occurred. type: timestamp isEventTime: true timeFormats: - rfc3339 - name: type description: Type of event. type: string - name: description description: Description of this event. type: string - name: connection description: Name of the connection the event relates to. type: string - name: connection_id description: ID of the connection the event relates to. type: string - name: client_id description: ID of the client (application). type: json - name: client_name description: Name of the client (application). type: string - name: ip description: IP address of the log event source. indicators: - ip type: string - name: client_ip type: string description: IP address of the client which caused the event. indicators: - ip - name: hostname description: Hostname the event applies to. type: string - name: user_id description: ID of the user involved in the event. type: string indicators: - username - name: user_name description: Name of the user involved in the event. type: json - name: audience description: API audience the event applies to. type: string - name: scope description: Scope permissions applied to the event. type: json - name: strategy description: Name of the strategy involved in the event. type: string - name: strategy_type description: Type of strategy involved in the event. type: string - name: details description: Additional useful details about this event (structure is dependent upon event type). type: json - name: log_id description: Unique ID of the event. type: string - name: is_mobile description: Whether the client was a mobile device (true) or desktop/laptop/server (false). type: boolean - name: user_agent description: User agent string from the client device that caused the event. type: string - name: location_info description: Information about the location that triggered this event based on the IP. type: object fields: - name: country_code description: Two-letter Alpha-2 ISO 3166-1 country code. type: string - name: country_code3 description: Three-letter Alpha-3 ISO 3166-1 country code. type: string - name: country_name description: Full country name in English. type: string - name: city_name description: Full city name in English. type: string - name: latitude description: Global latitude position. type: float - name: longitude description: Global longitude position. type: float - name: time_zone description: Time zone name as found in the tz database. type: string - name: continent_code description: Two-letter continent code. type: string ``` ````